* Re: mTLS on bmcweb [not found] <mailman.1237.1587601186.5884.openbmc@lists.ozlabs.org> @ 2020-04-23 10:47 ` P. K. Lee (李柏寬) 2020-04-23 15:50 ` Joseph Reynolds 0 siblings, 1 reply; 14+ messages in thread From: P. K. Lee (李柏寬) @ 2020-04-23 10:47 UTC (permalink / raw) To: ztai; +Cc: openbmc Hi, I encountered the same issue when using Redfish to replace the certificate. Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed. Best, P.K. > Date: Wed, 22 Apr 2020 14:58:06 -0700 > From: Zhenfei Tai <ztai@google.com> > To: openbmc@lists.ozlabs.org > Subject: mTLS on bmcweb > Message-ID: > <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g > mail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I'm trying out bmcweb mTLS which should be enabled by default by > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > > In my test, I created a self signed key and certificate pair, stacked them > up into server.pem in /etc/ssl/certs/https that bmcweb uses. > > However when I tried to curl bmcweb service, I was able to get response by > only supplying the cert. > > curl --cacert cert.pem https://${bmc}/redfish/v1 > > With the mTLS enabled, I expected it should error out since no client > certificate is provided. > > Could someone with relevant knowledge help with my question? > > Thanks, > Zhenfei ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-23 10:47 ` mTLS on bmcweb P. K. Lee (李柏寬) @ 2020-04-23 15:50 ` Joseph Reynolds 2020-04-23 16:36 ` Zhenfei Tai 0 siblings, 1 reply; 14+ messages in thread From: Joseph Reynolds @ 2020-04-23 15:50 UTC (permalink / raw) To: P. K. Lee (李柏寬), ztai; +Cc: openbmc On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > Hi, > > I encountered the same issue when using Redfish to replace the certificate. > Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed. > > Best, > P.K. > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >> From: Zhenfei Tai <ztai@google.com> >> To: openbmc@lists.ozlabs.org >> Subject: mTLS on bmcweb >> Message-ID: >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g >> mail.com> >> Content-Type: text/plain; charset="utf-8" >> >> Hi, >> >> I'm trying out bmcweb mTLS which should be enabled by default by >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >> >> In my test, I created a self signed key and certificate pair, stacked them >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. >> >> However when I tried to curl bmcweb service, I was able to get response by >> only supplying the cert. >> >> curl --cacert cert.pem https://${bmc}/redfish/v1 >> >> With the mTLS enabled, I expected it should error out since no client >> certificate is provided. >> >> Could someone with relevant knowledge help with my question? I'm not sure what you are asking. Are you asking how to install mTLS certs into the BMC and then use them to connect? I am still waiting for documentation that describes how to configure and use the mTLS feature. I've added an entry to the security working group as a reminder to do this. (I don't have the skill to document this feature.) - Joseph >> >> Thanks, >> Zhenfei ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-23 15:50 ` Joseph Reynolds @ 2020-04-23 16:36 ` Zhenfei Tai 2020-04-23 17:35 ` Richard Hanley 0 siblings, 1 reply; 14+ messages in thread From: Zhenfei Tai @ 2020-04-23 16:36 UTC (permalink / raw) To: Joseph Reynolds; +Cc: P. K. Lee (李柏寬), openbmc [-- Attachment #1: Type: text/plain, Size: 1966 bytes --] I guess part of my question is how to configure the mTLS certs to make it work properly. So far only https works (server side TLS). Thanks, Zhenfei On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com> wrote: > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > Hi, > > > > I encountered the same issue when using Redfish to replace the > certificate. > > Regardless of whether the parameters include --cert --key --cacert or > only --cacert, the authentication can still succeed. > > > > Best, > > P.K. > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > >> From: Zhenfei Tai <ztai@google.com> > >> To: openbmc@lists.ozlabs.org > >> Subject: mTLS on bmcweb > >> Message-ID: > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g > >> mail.com> > >> Content-Type: text/plain; charset="utf-8" > >> > >> Hi, > >> > >> I'm trying out bmcweb mTLS which should be enabled by default by > >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > >> > >> In my test, I created a self signed key and certificate pair, stacked > them > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > >> > >> However when I tried to curl bmcweb service, I was able to get response > by > >> only supplying the cert. > >> > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > >> > >> With the mTLS enabled, I expected it should error out since no client > >> certificate is provided. > >> > >> Could someone with relevant knowledge help with my question? > > I'm not sure what you are asking. Are you asking how to install mTLS > certs into the BMC and then use them to connect? I am still waiting for > documentation that describes how to configure and use the mTLS feature. > > I've added an entry to the security working group as a reminder to do > this. (I don't have the skill to document this feature.) > > - Joseph > > >> > >> Thanks, > >> Zhenfei > > [-- Attachment #2: Type: text/html, Size: 2916 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-23 16:36 ` Zhenfei Tai @ 2020-04-23 17:35 ` Richard Hanley 2020-04-24 17:03 ` Wiktor Gołgowski 0 siblings, 1 reply; 14+ messages in thread From: Richard Hanley @ 2020-04-23 17:35 UTC (permalink / raw) To: Zhenfei Tai Cc: Joseph Reynolds, openbmc, P. K. Lee (李柏寬) [-- Attachment #1: Type: text/plain, Size: 2354 bytes --] My guess is that somehow the root cert used to validate clients isn't installed correctly, and so it's defaulting to basic auth. At least that's my reading of this review https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com> wrote: > I guess part of my question is how to configure the mTLS certs to make it > work properly. > > So far only https works (server side TLS). > > Thanks, > Zhenfei > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com> > wrote: > >> On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: >> > Hi, >> > >> > I encountered the same issue when using Redfish to replace the >> certificate. >> > Regardless of whether the parameters include --cert --key --cacert or >> only --cacert, the authentication can still succeed. >> > >> > Best, >> > P.K. >> > >> >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >> >> From: Zhenfei Tai <ztai@google.com> >> >> To: openbmc@lists.ozlabs.org >> >> Subject: mTLS on bmcweb >> >> Message-ID: >> >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g >> >> mail.com> >> >> Content-Type: text/plain; charset="utf-8" >> >> >> >> Hi, >> >> >> >> I'm trying out bmcweb mTLS which should be enabled by default by >> >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >> >> >> >> In my test, I created a self signed key and certificate pair, stacked >> them >> >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. >> >> >> >> However when I tried to curl bmcweb service, I was able to get >> response by >> >> only supplying the cert. >> >> >> >> curl --cacert cert.pem https://${bmc}/redfish/v1 >> >> >> >> With the mTLS enabled, I expected it should error out since no client >> >> certificate is provided. >> >> >> >> Could someone with relevant knowledge help with my question? >> >> I'm not sure what you are asking. Are you asking how to install mTLS >> certs into the BMC and then use them to connect? I am still waiting for >> documentation that describes how to configure and use the mTLS feature. >> >> I've added an entry to the security working group as a reminder to do >> this. (I don't have the skill to document this feature.) >> >> - Joseph >> >> >> >> >> Thanks, >> >> Zhenfei >> >> [-- Attachment #2: Type: text/html, Size: 3644 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-23 17:35 ` Richard Hanley @ 2020-04-24 17:03 ` Wiktor Gołgowski 2020-04-30 13:27 ` P. K. Lee (李柏寬) 0 siblings, 1 reply; 14+ messages in thread From: Wiktor Gołgowski @ 2020-04-24 17:03 UTC (permalink / raw) To: Richard Hanley, Zhenfei Tai Cc: openbmc, P.K.Lee, jrey, P. K. Lee (李柏寬), Joseph Reynolds On 4/23/20 7:35 PM, Richard Hanley wrote: > My guess is that somehow the root cert used to validate clients isn't installed correctly, and so it's defaulting to basic auth. > > At least that's my reading of this review https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 > I think this would be the case. If the client certificate is not provided, TLS connection is still established, just without authenticating the client. This allows upper layer to provide other authentication methods (e.g. Basic Auth). > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com <mailto:ztai@google.com>> wrote: > > I guess part of my question is how to configure the mTLS certs to make it work properly. > > So far only https works (server side TLS). > > Thanks, > Zhenfei > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com <mailto:jrey@linux.ibm.com>> wrote: > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > Hi, > > > > I encountered the same issue when using Redfish to replace the certificate. > > Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed. > > > > Best, > > P.K. > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > >> From: Zhenfei Tai <ztai@google.com <mailto:ztai@google.com>> > >> To: openbmc@lists.ozlabs.org <mailto:openbmc@lists.ozlabs.org> > >> Subject: mTLS on bmcweb > >> Message-ID: > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g > >> mail.com <http://mail.com>> > >> Content-Type: text/plain; charset="utf-8" > >> > >> Hi, > >> > >> I'm trying out bmcweb mTLS which should be enabled by default by > >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > >> > >> In my test, I created a self signed key and certificate pair, stacked them > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > >> > >> However when I tried to curl bmcweb service, I was able to get response by > >> only supplying the cert. > >> > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > >> > >> With the mTLS enabled, I expected it should error out since no client > >> certificate is provided. > >> As mentioned, if you did not provide a client certificate, connection was established to allow for Basic Auth. And as the Service Root requires no authentication, you got a response. - Wiktor > >> Could someone with relevant knowledge help with my question? > > I'm not sure what you are asking. Are you asking how to install mTLS > certs into the BMC and then use them to connect? I am still waiting for > documentation that describes how to configure and use the mTLS feature. > > I've added an entry to the security working group as a reminder to do > this. (I don't have the skill to document this feature.) > > - Joseph > > >> > >> Thanks, > >> Zhenfei > ^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: mTLS on bmcweb 2020-04-24 17:03 ` Wiktor Gołgowski @ 2020-04-30 13:27 ` P. K. Lee (李柏寬) 2020-04-30 18:34 ` Zhenfei Tai 0 siblings, 1 reply; 14+ messages in thread From: P. K. Lee (李柏寬) @ 2020-04-30 13:27 UTC (permalink / raw) To: Wiktor Gołgowski, Richard Hanley, Zhenfei Tai Cc: openbmc, jrey, Joseph Reynolds I found a way to fix this issue, but it needs to be modified to the source code. In two steps: Step 1. The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);" Step 2. AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default) It will enable enforce mTLS authentication. Best, P.K. > -----Original Message----- > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com> > Sent: Saturday, April 25, 2020 1:03 AM > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph > Reynolds <jrey@linux.ibm.com> > Subject: Re: mTLS on bmcweb > > > > On 4/23/20 7:35 PM, Richard Hanley wrote: > > My guess is that somehow the root cert used to validate clients isn't installed > correctly, and so it's defaulting to basic auth. > > > > At least that's my reading of this review > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 > > > > I think this would be the case. If the client certificate is not provided, TLS > connection is still established, just without authenticating the client. This > allows upper layer to provide other authentication methods (e.g. Basic Auth). > > > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com > <mailto:ztai@google.com>> wrote: > > > > I guess part of my question is how to configure the mTLS certs to make > it work properly. > > > > So far only https works (server side TLS). > > > > Thanks, > > Zhenfei > > > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com > <mailto:jrey@linux.ibm.com>> wrote: > > > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > > Hi, > > > > > > I encountered the same issue when using Redfish to replace the > certificate. > > > Regardless of whether the parameters include --cert --key > --cacert or only --cacert, the authentication can still succeed. > > > > > > Best, > > > P.K. > > > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > > >> From: Zhenfei Tai <ztai@google.com > <mailto:ztai@google.com>> > > >> To: openbmc@lists.ozlabs.org > <mailto:openbmc@lists.ozlabs.org> > > >> Subject: mTLS on bmcweb > > >> Message-ID: > > > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ > mail.g > > >> mail.com <http://mail.com>> > > >> Content-Type: text/plain; charset="utf-8" > > >> > > >> Hi, > > >> > > >> I'm trying out bmcweb mTLS which should be enabled by > default by > > >> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > > >> > > >> In my test, I created a self signed key and certificate pair, > stacked them > > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > > >> > > >> However when I tried to curl bmcweb service, I was able to get > response by > > >> only supplying the cert. > > >> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > > >> > > >> With the mTLS enabled, I expected it should error out since no > client > > >> certificate is provided. > > >> > > As mentioned, if you did not provide a client certificate, connection was > established to allow for Basic Auth. And as the Service Root requires no > authentication, you got a response. > > - Wiktor > > > >> Could someone with relevant knowledge help with my > question? > > > > I'm not sure what you are asking. Are you asking how to install > mTLS > > certs into the BMC and then use them to connect? I am still > waiting for > > documentation that describes how to configure and use the mTLS > feature. > > > > I've added an entry to the security working group as a reminder to > do > > this. (I don't have the skill to document this feature.) > > > > - Joseph > > > > >> > > >> Thanks, > > >> Zhenfei > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-30 13:27 ` P. K. Lee (李柏寬) @ 2020-04-30 18:34 ` Zhenfei Tai 2020-04-30 19:09 ` Zhenfei Tai 0 siblings, 1 reply; 14+ messages in thread From: Zhenfei Tai @ 2020-04-30 18:34 UTC (permalink / raw) To: P. K. Lee (李柏寬) Cc: Wiktor Gołgowski, Richard Hanley, openbmc, jrey [-- Attachment #1: Type: text/plain, Size: 5039 bytes --] Hi P.K. I tried the same thing. Could you share which url you tested? With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen. Thanks, Zhenfei On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> wrote: > I found a way to fix this issue, but it needs to be modified to the source > code. In two steps: > > Step 1. > The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" > in http_connection.h is replaced with > "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | > boost::asio::ssl::verify_fail_if_no_peer_cert);" > > Step 2. > AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default) > > It will enable enforce mTLS authentication. > > Best, > P.K. > > > -----Original Message----- > > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com> > > Sent: Saturday, April 25, 2020 1:03 AM > > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com> > > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; > > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph > > Reynolds <jrey@linux.ibm.com> > > Subject: Re: mTLS on bmcweb > > > > > > > > On 4/23/20 7:35 PM, Richard Hanley wrote: > > > My guess is that somehow the root cert used to validate clients isn't > installed > > correctly, and so it's defaulting to basic auth. > > > > > > At least that's my reading of this review > > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 > > > > > > > I think this would be the case. If the client certificate is not > provided, TLS > > connection is still established, just without authenticating the client. > This > > allows upper layer to provide other authentication methods (e.g. Basic > Auth). > > > > > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com > > <mailto:ztai@google.com>> wrote: > > > > > > I guess part of my question is how to configure the mTLS certs to > make > > it work properly. > > > > > > So far only https works (server side TLS). > > > > > > Thanks, > > > Zhenfei > > > > > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < > jrey@linux.ibm.com > > <mailto:jrey@linux.ibm.com>> wrote: > > > > > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > > > Hi, > > > > > > > > I encountered the same issue when using Redfish to replace > the > > certificate. > > > > Regardless of whether the parameters include --cert --key > > --cacert or only --cacert, the authentication can still succeed. > > > > > > > > Best, > > > > P.K. > > > > > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > > > >> From: Zhenfei Tai <ztai@google.com > > <mailto:ztai@google.com>> > > > >> To: openbmc@lists.ozlabs.org > > <mailto:openbmc@lists.ozlabs.org> > > > >> Subject: mTLS on bmcweb > > > >> Message-ID: > > > > > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ > > mail.g > > > >> mail.com <http://mail.com>> > > > >> Content-Type: text/plain; charset="utf-8" > > > >> > > > >> Hi, > > > >> > > > >> I'm trying out bmcweb mTLS which should be enabled by > > default by > > > >> > > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > > > >> > > > >> In my test, I created a self signed key and certificate > pair, > > stacked them > > > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > > > >> > > > >> However when I tried to curl bmcweb service, I was able to > get > > response by > > > >> only supplying the cert. > > > >> > > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > > > >> > > > >> With the mTLS enabled, I expected it should error out since > no > > client > > > >> certificate is provided. > > > >> > > > > As mentioned, if you did not provide a client certificate, connection was > > established to allow for Basic Auth. And as the Service Root requires no > > authentication, you got a response. > > > > - Wiktor > > > > > >> Could someone with relevant knowledge help with my > > question? > > > > > > I'm not sure what you are asking. Are you asking how to > install > > mTLS > > > certs into the BMC and then use them to connect? I am still > > waiting for > > > documentation that describes how to configure and use the mTLS > > feature. > > > > > > I've added an entry to the security working group as a > reminder to > > do > > > this. (I don't have the skill to document this feature.) > > > > > > - Joseph > > > > > > >> > > > >> Thanks, > > > >> Zhenfei > > > > [-- Attachment #2: Type: text/html, Size: 7995 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-30 18:34 ` Zhenfei Tai @ 2020-04-30 19:09 ` Zhenfei Tai 2020-04-30 23:39 ` Zhenfei Tai 0 siblings, 1 reply; 14+ messages in thread From: Zhenfei Tai @ 2020-04-30 19:09 UTC (permalink / raw) To: P. K. Lee (李柏寬) Cc: Wiktor Gołgowski, Richard Hanley, openbmc, jrey [-- Attachment #1: Type: text/plain, Size: 5870 bytes --] Also, with that change in http_connection.h, it still accepts any client certificate provided in curl. Here's what I did: 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert Behavior after change: 1. Rejects curl without client certificate. 2. Returns when client certificate matches the one authority directory. 3. Rejects when client sends other certificates. The change is just for testing purposes, I guess the original intention was not to mTLS every request. On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote: > Hi P.K. > > I tried the same thing. > > Could you share which url you tested? > With that change, if I access the https://${bmc}/redfish/v1 url in > chrome, it prompts to choose a client certificate, but will also work if no > certificate is chosen. > > Thanks, > Zhenfei > > On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> > wrote: > >> I found a way to fix this issue, but it needs to be modified to the >> source code. In two steps: >> >> Step 1. >> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" >> in http_connection.h is replaced with >> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | >> boost::asio::ssl::verify_fail_if_no_peer_cert);" >> >> Step 2. >> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default) >> >> It will enable enforce mTLS authentication. >> >> Best, >> P.K. >> >> > -----Original Message----- >> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com> >> > Sent: Saturday, April 25, 2020 1:03 AM >> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com> >> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; >> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph >> > Reynolds <jrey@linux.ibm.com> >> > Subject: Re: mTLS on bmcweb >> > >> > >> > >> > On 4/23/20 7:35 PM, Richard Hanley wrote: >> > > My guess is that somehow the root cert used to validate clients isn't >> installed >> > correctly, and so it's defaulting to basic auth. >> > > >> > > At least that's my reading of this review >> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 >> > > >> > >> > I think this would be the case. If the client certificate is not >> provided, TLS >> > connection is still established, just without authenticating the >> client. This >> > allows upper layer to provide other authentication methods (e.g. Basic >> Auth). >> > > >> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com >> > <mailto:ztai@google.com>> wrote: >> > > >> > > I guess part of my question is how to configure the mTLS certs to >> make >> > it work properly. >> > > >> > > So far only https works (server side TLS). >> > > >> > > Thanks, >> > > Zhenfei >> > > >> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < >> jrey@linux.ibm.com >> > <mailto:jrey@linux.ibm.com>> wrote: >> > > >> > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: >> > > > Hi, >> > > > >> > > > I encountered the same issue when using Redfish to replace >> the >> > certificate. >> > > > Regardless of whether the parameters include --cert --key >> > --cacert or only --cacert, the authentication can still succeed. >> > > > >> > > > Best, >> > > > P.K. >> > > > >> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >> > > >> From: Zhenfei Tai <ztai@google.com >> > <mailto:ztai@google.com>> >> > > >> To: openbmc@lists.ozlabs.org >> > <mailto:openbmc@lists.ozlabs.org> >> > > >> Subject: mTLS on bmcweb >> > > >> Message-ID: >> > > >> > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ >> > mail.g >> > > >> mail.com <http://mail.com>> >> > > >> Content-Type: text/plain; charset="utf-8" >> > > >> >> > > >> Hi, >> > > >> >> > > >> I'm trying out bmcweb mTLS which should be enabled by >> > default by >> > > >> >> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >> > > >> >> > > >> In my test, I created a self signed key and certificate >> pair, >> > stacked them >> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb >> uses. >> > > >> >> > > >> However when I tried to curl bmcweb service, I was able to >> get >> > response by >> > > >> only supplying the cert. >> > > >> >> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 >> > > >> >> > > >> With the mTLS enabled, I expected it should error out >> since no >> > client >> > > >> certificate is provided. >> > > >> >> > >> > As mentioned, if you did not provide a client certificate, connection >> was >> > established to allow for Basic Auth. And as the Service Root requires no >> > authentication, you got a response. >> > >> > - Wiktor >> > >> > > >> Could someone with relevant knowledge help with my >> > question? >> > > >> > > I'm not sure what you are asking. Are you asking how to >> install >> > mTLS >> > > certs into the BMC and then use them to connect? I am still >> > waiting for >> > > documentation that describes how to configure and use the mTLS >> > feature. >> > > >> > > I've added an entry to the security working group as a >> reminder to >> > do >> > > this. (I don't have the skill to document this feature.) >> > > >> > > - Joseph >> > > >> > > >> >> > > >> Thanks, >> > > >> Zhenfei >> > > >> > [-- Attachment #2: Type: text/html, Size: 9039 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-30 19:09 ` Zhenfei Tai @ 2020-04-30 23:39 ` Zhenfei Tai 2020-05-04 2:27 ` P. K. Lee (李柏寬) 0 siblings, 1 reply; 14+ messages in thread From: Zhenfei Tai @ 2020-04-30 23:39 UTC (permalink / raw) To: P. K. Lee (李柏寬) Cc: Wiktor Gołgowski, Richard Hanley, openbmc, jrey [-- Attachment #1: Type: text/plain, Size: 6704 bytes --] I did more testing and found the reason why it accepts any client certification. The error is due to the self signed certificate cannot be found in the list of trusted certificates. Without the user defined verify callback function, it works as expected. #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT <https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d> 18 // Check if certificate is OK int error = X509_STORE_CTX_get_error(cts); if (error != X509_V_OK) { return true; } On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote: > Also, with that change in http_connection.h, it still accepts any client > certificate provided in curl. > > Here's what I did: > 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION > 2. Uncommented ssl_key_handler.hpp:315 and added the > boost::asio::ssl::verify_fail_if_no_peer_cert > > Behavior after change: > 1. Rejects curl without client certificate. > 2. Returns when client certificate matches the one authority directory. > 3. Rejects when client sends other certificates. > > The change is just for testing purposes, I guess the original intention > was not to mTLS every request. > > On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote: > >> Hi P.K. >> >> I tried the same thing. >> >> Could you share which url you tested? >> With that change, if I access the https://${bmc}/redfish/v1 url in >> chrome, it prompts to choose a client certificate, but will also work if no >> certificate is chosen. >> >> Thanks, >> Zhenfei >> >> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> >> wrote: >> >>> I found a way to fix this issue, but it needs to be modified to the >>> source code. In two steps: >>> >>> Step 1. >>> The source code >>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in >>> http_connection.h is replaced with >>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | >>> boost::asio::ssl::verify_fail_if_no_peer_cert);" >>> >>> Step 2. >>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default) >>> >>> It will enable enforce mTLS authentication. >>> >>> Best, >>> P.K. >>> >>> > -----Original Message----- >>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com> >>> > Sent: Saturday, April 25, 2020 1:03 AM >>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com> >>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; >>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph >>> > Reynolds <jrey@linux.ibm.com> >>> > Subject: Re: mTLS on bmcweb >>> > >>> > >>> > >>> > On 4/23/20 7:35 PM, Richard Hanley wrote: >>> > > My guess is that somehow the root cert used to validate clients >>> isn't installed >>> > correctly, and so it's defaulting to basic auth. >>> > > >>> > > At least that's my reading of this review >>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 >>> > > >>> > >>> > I think this would be the case. If the client certificate is not >>> provided, TLS >>> > connection is still established, just without authenticating the >>> client. This >>> > allows upper layer to provide other authentication methods (e.g. Basic >>> Auth). >>> > > >>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com >>> > <mailto:ztai@google.com>> wrote: >>> > > >>> > > I guess part of my question is how to configure the mTLS certs >>> to make >>> > it work properly. >>> > > >>> > > So far only https works (server side TLS). >>> > > >>> > > Thanks, >>> > > Zhenfei >>> > > >>> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < >>> jrey@linux.ibm.com >>> > <mailto:jrey@linux.ibm.com>> wrote: >>> > > >>> > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: >>> > > > Hi, >>> > > > >>> > > > I encountered the same issue when using Redfish to replace >>> the >>> > certificate. >>> > > > Regardless of whether the parameters include --cert --key >>> > --cacert or only --cacert, the authentication can still succeed. >>> > > > >>> > > > Best, >>> > > > P.K. >>> > > > >>> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >>> > > >> From: Zhenfei Tai <ztai@google.com >>> > <mailto:ztai@google.com>> >>> > > >> To: openbmc@lists.ozlabs.org >>> > <mailto:openbmc@lists.ozlabs.org> >>> > > >> Subject: mTLS on bmcweb >>> > > >> Message-ID: >>> > > >>> > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ >>> > mail.g >>> > > >> mail.com <http://mail.com>> >>> > > >> Content-Type: text/plain; charset="utf-8" >>> > > >> >>> > > >> Hi, >>> > > >> >>> > > >> I'm trying out bmcweb mTLS which should be enabled by >>> > default by >>> > > >> >>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >>> > > >> >>> > > >> In my test, I created a self signed key and certificate >>> pair, >>> > stacked them >>> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb >>> uses. >>> > > >> >>> > > >> However when I tried to curl bmcweb service, I was able >>> to get >>> > response by >>> > > >> only supplying the cert. >>> > > >> >>> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 >>> > > >> >>> > > >> With the mTLS enabled, I expected it should error out >>> since no >>> > client >>> > > >> certificate is provided. >>> > > >> >>> > >>> > As mentioned, if you did not provide a client certificate, connection >>> was >>> > established to allow for Basic Auth. And as the Service Root requires >>> no >>> > authentication, you got a response. >>> > >>> > - Wiktor >>> > >>> > > >> Could someone with relevant knowledge help with my >>> > question? >>> > > >>> > > I'm not sure what you are asking. Are you asking how to >>> install >>> > mTLS >>> > > certs into the BMC and then use them to connect? I am still >>> > waiting for >>> > > documentation that describes how to configure and use the >>> mTLS >>> > feature. >>> > > >>> > > I've added an entry to the security working group as a >>> reminder to >>> > do >>> > > this. (I don't have the skill to document this feature.) >>> > > >>> > > - Joseph >>> > > >>> > > >> >>> > > >> Thanks, >>> > > >> Zhenfei >>> > > >>> >> [-- Attachment #2: Type: text/html, Size: 11292 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-04-30 23:39 ` Zhenfei Tai @ 2020-05-04 2:27 ` P. K. Lee (李柏寬) 2020-05-06 11:13 ` Zbyszek 0 siblings, 1 reply; 14+ messages in thread From: P. K. Lee (李柏寬) @ 2020-05-04 2:27 UTC (permalink / raw) To: Zhenfei Tai; +Cc: Wiktor Gołgowski, Richard Hanley, openbmc, jrey [-- Attachment #1: Type: text/plain, Size: 6940 bytes --] On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote: I did more testing and found the reason why it accepts any client certification. The error is due to the self signed certificate cannot be found in the list of trusted certificates. Without the user defined verify callback function, it works as expected. #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d> 18 // Check if certificate is OK int error = X509_STORE_CTX_get_error(cts); if (error != X509_V_OK) { return true; } Yes, I also thought the key is that the self-signed certificate is not in the trusted store. However, the self-signed CA certificate I uploaded using the Redfish API and modify the code to another "set_verify_mode" is actually useless. On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote: Also, with that change in http_connection.h, it still accepts any client certificate provided in curl. Here's what I did: 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION 2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert Behavior after change: 1. Rejects curl without client certificate. 2. Returns when client certificate matches the one authority directory. 3. Rejects when client sends other certificates. The change is just for testing purposes, I guess the original intention was not to mTLS every request. It works :D On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote: Hi P.K. I tried the same thing. Could you share which url you tested? With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen. Thanks, Zhenfei On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>> wrote: I found a way to fix this issue, but it needs to be modified to the source code. In two steps: Step 1. The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);" Step 2. AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default) It will enable enforce mTLS authentication. Best, P.K. > -----Original Message----- > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com<mailto:wiktor.golgowski@linux.intel.com>> > Sent: Saturday, April 25, 2020 1:03 AM > To: Richard Hanley <rhanley@google.com<mailto:rhanley@google.com>>; Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> > Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>>; > jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>>; Joseph > Reynolds <jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>> > Subject: Re: mTLS on bmcweb > > > > On 4/23/20 7:35 PM, Richard Hanley wrote: > > My guess is that somehow the root cert used to validate clients isn't installed > correctly, and so it's defaulting to basic auth. > > > > At least that's my reading of this review > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 > > > > I think this would be the case. If the client certificate is not provided, TLS > connection is still established, just without authenticating the client. This > allows upper layer to provide other authentication methods (e.g. Basic Auth). > > > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com> > <mailto:ztai@google.com<mailto:ztai@google.com>>> wrote: > > > > I guess part of my question is how to configure the mTLS certs to make > it work properly. > > > > So far only https works (server side TLS). > > > > Thanks, > > Zhenfei > > > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com<mailto:jrey@linux.ibm.com> > <mailto:jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>>> wrote: > > > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > > Hi, > > > > > > I encountered the same issue when using Redfish to replace the > certificate. > > > Regardless of whether the parameters include --cert --key > --cacert or only --cacert, the authentication can still succeed. > > > > > > Best, > > > P.K. > > > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > > >> From: Zhenfei Tai <ztai@google.com<mailto:ztai@google.com> > <mailto:ztai@google.com<mailto:ztai@google.com>>> > > >> To: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org> > <mailto:openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>> > > >> Subject: mTLS on bmcweb > > >> Message-ID: > > > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ > mail.g > > >> mail.com<http://mail.com/> <http://mail.com<http://mail.com/>>> > > >> Content-Type: text/plain; charset="utf-8" > > >> > > >> Hi, > > >> > > >> I'm trying out bmcweb mTLS which should be enabled by > default by > > >> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > > >> > > >> In my test, I created a self signed key and certificate pair, > stacked them > > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > > >> > > >> However when I tried to curl bmcweb service, I was able to get > response by > > >> only supplying the cert. > > >> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > > >> > > >> With the mTLS enabled, I expected it should error out since no > client > > >> certificate is provided. > > >> > > As mentioned, if you did not provide a client certificate, connection was > established to allow for Basic Auth. And as the Service Root requires no > authentication, you got a response. > > - Wiktor > > > >> Could someone with relevant knowledge help with my > question? > > > > I'm not sure what you are asking. Are you asking how to install > mTLS > > certs into the BMC and then use them to connect? I am still > waiting for > > documentation that describes how to configure and use the mTLS > feature. > > > > I've added an entry to the security working group as a reminder to > do > > this. (I don't have the skill to document this feature.) > > > > - Joseph > > > > >> > > >> Thanks, > > >> Zhenfei > > [-- Attachment #2: Type: text/html, Size: 15436 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: mTLS on bmcweb 2020-05-04 2:27 ` P. K. Lee (李柏寬) @ 2020-05-06 11:13 ` Zbyszek 0 siblings, 0 replies; 14+ messages in thread From: Zbyszek @ 2020-05-06 11:13 UTC (permalink / raw) To: openbmc [-- Attachment #1: Type: text/plain, Size: 7529 bytes --] Hi, proper documentation that describes how to configure and use the mTLS feature is in progress and soon will appear in OpenBmc docs. Thanks for your patience :) pon., 4 maj 2020 o 04:29 P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> napisał(a): > > On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com> wrote: > > I did more testing and found the reason why it accepts any client > certification. > The error is due to the self signed certificate cannot be found in the > list of trusted certificates. > Without the user defined verify callback function, it works as expected. > > #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT > <https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d> > 18 > > // Check if certificate is OK > int error = X509_STORE_CTX_get_error(cts); > if (error != X509_V_OK) > { > return true; > } > > Yes, I also thought the key is that the self-signed certificate is not in > the trusted store. > However, the self-signed CA certificate I uploaded using the Redfish API > and modify the code to another "set_verify_mode" is actually useless. > > On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote: > >> Also, with that change in http_connection.h, it still accepts any client >> certificate provided in curl. >> >> Here's what I did: >> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION >> 2. Uncommented ssl_key_handler.hpp:315 and added the >> boost::asio::ssl::verify_fail_if_no_peer_cert >> >> Behavior after change: >> 1. Rejects curl without client certificate. >> 2. Returns when client certificate matches the one authority directory. >> 3. Rejects when client sends other certificates. >> >> The change is just for testing purposes, I guess the original intention >> was not to mTLS every request. >> >> It works :D > > On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote: >> >>> Hi P.K. >>> >>> I tried the same thing. >>> >>> Could you share which url you tested? >>> With that change, if I access the https://${bmc}/redfish/v1 url in >>> chrome, it prompts to choose a client certificate, but will also work if no >>> certificate is chosen. >>> >>> Thanks, >>> Zhenfei >>> >>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> >>> wrote: >>> >>>> I found a way to fix this issue, but it needs to be modified to the >>>> source code. In two steps: >>>> >>>> Step 1. >>>> The source code >>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in >>>> http_connection.h is replaced with >>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | >>>> boost::asio::ssl::verify_fail_if_no_peer_cert);" >>>> >>>> Step 2. >>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by >>>> default) >>>> >>>> It will enable enforce mTLS authentication. >>>> >>>> Best, >>>> P.K. >>>> >>>> > -----Original Message----- >>>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com> >>>> > Sent: Saturday, April 25, 2020 1:03 AM >>>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com >>>> > >>>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; >>>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph >>>> > Reynolds <jrey@linux.ibm.com> >>>> > Subject: Re: mTLS on bmcweb >>>> > >>>> > >>>> > >>>> > On 4/23/20 7:35 PM, Richard Hanley wrote: >>>> > > My guess is that somehow the root cert used to validate clients >>>> isn't installed >>>> > correctly, and so it's defaulting to basic auth. >>>> > > >>>> > > At least that's my reading of this review >>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 >>>> > > >>>> > >>>> > I think this would be the case. If the client certificate is not >>>> provided, TLS >>>> > connection is still established, just without authenticating the >>>> client. This >>>> > allows upper layer to provide other authentication methods (e.g. >>>> Basic Auth). >>>> > > >>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com >>>> > <mailto:ztai@google.com>> wrote: >>>> > > >>>> > > I guess part of my question is how to configure the mTLS certs >>>> to make >>>> > it work properly. >>>> > > >>>> > > So far only https works (server side TLS). >>>> > > >>>> > > Thanks, >>>> > > Zhenfei >>>> > > >>>> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < >>>> jrey@linux.ibm.com >>>> > <mailto:jrey@linux.ibm.com>> wrote: >>>> > > >>>> > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: >>>> > > > Hi, >>>> > > > >>>> > > > I encountered the same issue when using Redfish to >>>> replace the >>>> > certificate. >>>> > > > Regardless of whether the parameters include --cert --key >>>> > --cacert or only --cacert, the authentication can still succeed. >>>> > > > >>>> > > > Best, >>>> > > > P.K. >>>> > > > >>>> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >>>> > > >> From: Zhenfei Tai <ztai@google.com >>>> > <mailto:ztai@google.com>> >>>> > > >> To: openbmc@lists.ozlabs.org >>>> > <mailto:openbmc@lists.ozlabs.org> >>>> > > >> Subject: mTLS on bmcweb >>>> > > >> Message-ID: >>>> > > >>>> > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@ >>>> > mail.g >>>> > > >> mail.com <http://mail.com>> >>>> > > >> Content-Type: text/plain; charset="utf-8" >>>> > > >> >>>> > > >> Hi, >>>> > > >> >>>> > > >> I'm trying out bmcweb mTLS which should be enabled by >>>> > default by >>>> > > >> >>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >>>> > > >> >>>> > > >> In my test, I created a self signed key and certificate >>>> pair, >>>> > stacked them >>>> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb >>>> uses. >>>> > > >> >>>> > > >> However when I tried to curl bmcweb service, I was able >>>> to get >>>> > response by >>>> > > >> only supplying the cert. >>>> > > >> >>>> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 >>>> > > >> >>>> > > >> With the mTLS enabled, I expected it should error out >>>> since no >>>> > client >>>> > > >> certificate is provided. >>>> > > >> >>>> > >>>> > As mentioned, if you did not provide a client certificate, connection >>>> was >>>> > established to allow for Basic Auth. And as the Service Root requires >>>> no >>>> > authentication, you got a response. >>>> > >>>> > - Wiktor >>>> > >>>> > > >> Could someone with relevant knowledge help with my >>>> > question? >>>> > > >>>> > > I'm not sure what you are asking. Are you asking how to >>>> install >>>> > mTLS >>>> > > certs into the BMC and then use them to connect? I am still >>>> > waiting for >>>> > > documentation that describes how to configure and use the >>>> mTLS >>>> > feature. >>>> > > >>>> > > I've added an entry to the security working group as a >>>> reminder to >>>> > do >>>> > > this. (I don't have the skill to document this feature.) >>>> > > >>>> > > - Joseph >>>> > > >>>> > > >> >>>> > > >> Thanks, >>>> > > >> Zhenfei >>>> > > >>>> >>> > [-- Attachment #2: Type: text/html, Size: 12869 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: mTLS on bmcweb
@ 2020-06-08 2:48 Ed Tanous
2020-06-10 3:50 ` Zhenfei Tai
0 siblings, 1 reply; 14+ messages in thread
From: Ed Tanous @ 2020-06-08 2:48 UTC (permalink / raw)
To: openbmc
>> I did more testing and found the reason why it accepts any client
certification.
It looks like you never got a great answer to this.
There's a slight conflict between needs here. On the one hand, bmcweb
needs to support multiple authentication mechanisms, some of which are
compatible with standards that are more or less set in stone (Redfish,
Dbus-rest api, ect). On the other hand, a lot of people looking to
turn on mutual TLS auth are doing so to reduce the scope of code they
have to "trust" for authentication down to only the SSL library, which
(hopefully) is rigorously tested. The problem arises here that there
are modes, like Redfish and the webui, that require certain assets to
be available without authentication. In the case of Redfish, it
requires the introspectable schema files, in the case of the webui,
the static pages that make it up need to be loaded so the UI launches
and the user sees a login page. (Unrelated note, we make more than is
needed available here, but that's a different problem.)
When I first built the patch to do mutual TLS, my intention was to at
least try to support as many authentication mechanisms as I could,
hence the code you're looking at now that only uses the mutual TLS
auth as a _possible_ authentication mechanism, leaving the final
decision be made by the auth code in bmcweb. One thing that seems to
have gotten lost in translation somewhere between that code and when
it hit master is that if mutual TLS is the only enabled authentication
mechanism at that point in time, we know that we're not operating in
any standards that would require static assets, and bmcweb can simply
deny the connection on the front end, like you would expect, in the
code that you've already found.
TL;DR;
Add something like this:
// Get the current auth config
AuthConfigMethods& methods =
crow::persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
// if only mTLS is enabled, we can close the connection immediately,
as no other auth methods will be tried.
if (methods. xtoken == false &&
methods.cookie == false &&
methods.sessionToken == false &&
methods.basic = false &&
methods.tls == true){
return false;
}
Here:
https://github.com/openbmc/bmcweb/blame/master/http/http_connection.h#L302
...and I suspect it'll work like you want.
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: mTLS on bmcweb 2020-06-08 2:48 Ed Tanous @ 2020-06-10 3:50 ` Zhenfei Tai 0 siblings, 0 replies; 14+ messages in thread From: Zhenfei Tai @ 2020-06-10 3:50 UTC (permalink / raw) To: Ed Tanous; +Cc: OpenBMC Maillist [-- Attachment #1: Type: text/plain, Size: 2746 bytes --] Hi Ed, Thanks for the email with great details! I came to realize that it was my misunderstanding/assumption which caused the confusion. I've reviewed the bmcweb TLS documentation and learned mTLS was only one authentication option other than a requirement. Zhenfei On Sun, Jun 7, 2020 at 7:49 PM Ed Tanous <ed@tanous.net> wrote: > >> I did more testing and found the reason why it accepts any client > certification. > > It looks like you never got a great answer to this. > > There's a slight conflict between needs here. On the one hand, bmcweb > needs to support multiple authentication mechanisms, some of which are > compatible with standards that are more or less set in stone (Redfish, > Dbus-rest api, ect). On the other hand, a lot of people looking to > turn on mutual TLS auth are doing so to reduce the scope of code they > have to "trust" for authentication down to only the SSL library, which > (hopefully) is rigorously tested. The problem arises here that there > are modes, like Redfish and the webui, that require certain assets to > be available without authentication. In the case of Redfish, it > requires the introspectable schema files, in the case of the webui, > the static pages that make it up need to be loaded so the UI launches > and the user sees a login page. (Unrelated note, we make more than is > needed available here, but that's a different problem.) > > When I first built the patch to do mutual TLS, my intention was to at > least try to support as many authentication mechanisms as I could, > hence the code you're looking at now that only uses the mutual TLS > auth as a _possible_ authentication mechanism, leaving the final > decision be made by the auth code in bmcweb. One thing that seems to > have gotten lost in translation somewhere between that code and when > it hit master is that if mutual TLS is the only enabled authentication > mechanism at that point in time, we know that we're not operating in > any standards that would require static assets, and bmcweb can simply > deny the connection on the front end, like you would expect, in the > code that you've already found. > > TL;DR; > > Add something like this: > > // Get the current auth config > AuthConfigMethods& methods = > crow::persistent_data::SessionStore::getInstance().getAuthMethodsConfig(); > // if only mTLS is enabled, we can close the connection immediately, > as no other auth methods will be tried. > if (methods. xtoken == false && > methods.cookie == false && > methods.sessionToken == false && > methods.basic = false && > methods.tls == true){ > return false; > } > > Here: > https://github.com/openbmc/bmcweb/blame/master/http/http_connection.h#L302 > > ...and I suspect it'll work like you want. > [-- Attachment #2: Type: text/html, Size: 3476 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* mTLS on bmcweb
@ 2020-04-22 21:58 Zhenfei Tai
0 siblings, 0 replies; 14+ messages in thread
From: Zhenfei Tai @ 2020-04-22 21:58 UTC (permalink / raw)
To: openbmc
[-- Attachment #1: Type: text/plain, Size: 599 bytes --]
Hi,
I'm trying out bmcweb mTLS which should be enabled by default by
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
In my test, I created a self signed key and certificate pair, stacked them
up into server.pem in /etc/ssl/certs/https that bmcweb uses.
However when I tried to curl bmcweb service, I was able to get response by
only supplying the cert.
curl --cacert cert.pem https://${bmc}/redfish/v1
With the mTLS enabled, I expected it should error out since no client
certificate is provided.
Could someone with relevant knowledge help with my question?
Thanks,
Zhenfei
[-- Attachment #2: Type: text/html, Size: 929 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in threadend of thread, other threads:[~2020-06-10 3:50 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <mailman.1237.1587601186.5884.openbmc@lists.ozlabs.org>
2020-04-23 10:47 ` mTLS on bmcweb P. K. Lee (李柏寬)
2020-04-23 15:50 ` Joseph Reynolds
2020-04-23 16:36 ` Zhenfei Tai
2020-04-23 17:35 ` Richard Hanley
2020-04-24 17:03 ` Wiktor Gołgowski
2020-04-30 13:27 ` P. K. Lee (李柏寬)
2020-04-30 18:34 ` Zhenfei Tai
2020-04-30 19:09 ` Zhenfei Tai
2020-04-30 23:39 ` Zhenfei Tai
2020-05-04 2:27 ` P. K. Lee (李柏寬)
2020-05-06 11:13 ` Zbyszek
2020-06-08 2:48 Ed Tanous
2020-06-10 3:50 ` Zhenfei Tai
-- strict thread matches above, loose matches on Subject: below --
2020-04-22 21:58 Zhenfei Tai
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.